By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

an estimated 10 million machines. Though the damage has been minimal, the worst is yet to come, said researchers.

SearchSecurity.com:

To get security news and tips delivered to your inbox,
click here to sign up for our free newsletter.

The fledgling botnet is set up. Zombied machines are awaiting orders. But so far communication from the attacker has been silent. Security researchers are tied into the more than 200 IP addresses being used to connect the attacker to the infected machines.

"There's no telling what kind of damage this could inflict," said Derek Brown, a security researcher with TippingPoint's DVLabs. "We know that this is usually financially motivated, so we're just waiting to see what happens next."

Brown said the worm's proliferation reached a peak more than a week ago when those who were slow to install Microsoft's MS08-067 patch finally got it deployed. But it continues to slowly build its base on corporate networks by spreading via USB sticks and other storage devices. Even if corporate systems and endpoint machines are fully patched, the worm can still infect a machine on the network and spread using mapped drives, Brown said. Adding to the frustration is Conficker/Downadup's code base, which contains a password cracker that has been successful in companies with weak password policies. The code also contains commands directing the worm to check multiple IP addresses to spread where it can find a hole.

Once a machine is infected with the worm it relays a message back to the host, detailing location among other information about the victim's machine. Brown said the worm writer should be able to make a profit on the black market by breaking up the botnet and selling it by location.

By comparison, the Microsoft Blaster worm of 2003 exploited a service vulnerability that was similar to the one being exploited by the Conficker worm. Blaster exploded onto the Internet, said Thomas Cross, a security researcher with IBM ISS' X-Force security team. Blaster reached its propagation peak within eight hours of its first appearance. Most of the hosts that were infected were infected within one week.

"Conficker did not propagate nearly as efficiently," Cross said. "This worm didn't become a major story until January."

In Janauary, the worm's author added the extra propagation vectors -- the AutoRun and file share capabilities with password cracking. The worm has been effective because it's taking advantage of the file sharing and poor password management that is prevalent in many businesses.

"People are much better at managing vulnerabilities in 2008 and 2009 than they were in 2003," Cross said. "People are more proactive in updating their machines. They've got automated Windows Update, they've got IPS systems in place and so they're doing a better job with vulnerability management."

Cross said the damage the fledgling botnet inflicts is still unknown. Once the attacker delivers the payload to the infected machines, security professionals will be able to measure the extent of Conficker's destruction.

Experts agree that worm propagation and exploitation is primarily a financially motivated method of attack.

"The days of people doing this because they're bored are mostly over," Cross said. "We would expect that the person who controls this thing will try to auction off parts of the network that they have created."

The attacker can issue orders to install spyware on victims' machines to collect bank login credentials or credit card numbers. They could use hundreds of thousands of machines to conduct a denial-of-service vulnerability against a specific website or business, or they could see if the worm was successful in infiltrating a specific network and try to gain access to critical files, Cross said.

"We don't know who controls this thing and what their motivations are," Cross said. "Who knows what's going to happen."

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy